systembc | 318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd

General

Target

318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
Size

350KB
MD5

0dc61438b79668900bd081bac6109760
SHA1

2ee66fd972c2d28ad30775971ba95056951910f0
SHA256

318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd
SHA512

467b352ce6188e6126050c229cd47b526e83ef3535449c3f02b70491e159523d7cc8ebb28caab4e8d98627a22a0af1faf13b134072309dfe56ad175d18177ca7
SSDEEP

6144:RoX0oZ+rm/OV6ZH7XYuB4xpuMadbr2X3f+gOkXdhFr:Ry0xrm/h7XYuWCMaV2XWgO8hFr

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

knock0909.monster:4035

knock0909.xyz:4035

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 12 IoCs

Processes:

uwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exe

pid	process
4472	uwmdb.exe
2700	uwmdb.exe
4536	uwmdb.exe
1496	uwmdb.exe
1964	uwmdb.exe
1680	uwmdb.exe
2856	uwmdb.exe
4772	uwmdb.exe
2760	uwmdb.exe
4392	uwmdb.exe
780	uwmdb.exe
4032	uwmdb.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
1 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

flow	ioc
17	api.ipify.org
1	api.ipify.org

Suspicious use of SetThreadContext 7 IoCs

Processes:

318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exe

description	pid	process	target process
PID 3380 set thread context of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 4472 set thread context of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4536 set thread context of 1496	4536	uwmdb.exe	uwmdb.exe
PID 1964 set thread context of 1680	1964	uwmdb.exe	uwmdb.exe
PID 2856 set thread context of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2760 set thread context of 4392	2760	uwmdb.exe	uwmdb.exe
PID 780 set thread context of 4032	780	uwmdb.exe	uwmdb.exe

Drops file in Windows directory 2 IoCs

Processes:

318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\uwmdb.job	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
File created	C:\Windows\Tasks\uwmdb.job	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe

pid	process
5116	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
5116	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exeuwmdb.exe

description	pid	process	target process
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 3380 wrote to memory of 5116	3380	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe	318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4472 wrote to memory of 2700	4472	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 4536 wrote to memory of 1496	4536	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 1964 wrote to memory of 1680	1964	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2856 wrote to memory of 4772	2856	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 2760 wrote to memory of 4392	2760	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe
PID 780 wrote to memory of 4032	780	uwmdb.exe	uwmdb.exe

C:\Users\Admin\AppData\Local\Temp\318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
"C:\Users\Admin\AppData\Local\Temp\318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe
"C:\Users\Admin\AppData\Local\Temp\318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4472

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
2⤵
- Executes dropped EXE
PID:2700

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
2⤵
- Executes dropped EXE
PID:1496

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
2⤵
- Executes dropped EXE
PID:1680

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
2⤵
- Executes dropped EXE
PID:4772

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
2⤵
- Executes dropped EXE
PID:4392

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780

C:\ProgramData\magm\uwmdb.exe
C:\ProgramData\magm\uwmdb.exe start
2⤵
- Executes dropped EXE
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

1

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\magm\uwmdb.exe
Filesize
350KB

MD5
0dc61438b79668900bd081bac6109760

SHA1
2ee66fd972c2d28ad30775971ba95056951910f0

SHA256
318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd

SHA512
467b352ce6188e6126050c229cd47b526e83ef3535449c3f02b70491e159523d7cc8ebb28caab4e8d98627a22a0af1faf13b134072309dfe56ad175d18177ca7

Download Submit
memory/780-149-0x0000000000EF0000-0x0000000000FF0000-memory.dmp

Filesize
1024KB

Download
memory/1964-68-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/1964-75-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/2760-131-0x0000000000F50000-0x0000000001050000-memory.dmp

Filesize
1024KB

Download
memory/2760-124-0x0000000000F50000-0x0000000001050000-memory.dmp

Filesize
1024KB

Download
memory/2856-96-0x0000000001020000-0x0000000001120000-memory.dmp

Filesize
1024KB

Download
memory/2856-103-0x0000000001020000-0x0000000001120000-memory.dmp

Filesize
1024KB

Download
memory/3380-2-0x00000000011A0000-0x00000000011AA000-memory.dmp

Filesize
40KB

Download
memory/3380-1-0x0000000000E60000-0x0000000000F60000-memory.dmp

Filesize
1024KB

Download
memory/4472-15-0x0000000000D40000-0x0000000000E40000-memory.dmp

Filesize
1024KB

Download
memory/4536-39-0x0000000000F60000-0x0000000001060000-memory.dmp

Filesize
1024KB

Download
memory/5116-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5116-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5116-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads